-
Notifications
You must be signed in to change notification settings - Fork 162
FAQ
Awesome Telemetry is a list of telemetry produced by EDR (Endpoint Detection and Response) products and tools that are used to create verbose logs for augmenting existing data sources. The main goal of this repository is to encourage EDR vendors to be more transparent about the telemetry they provide to their customers.
The purpose of this repository is to compare the telemetry generated by different EDR products. The telemetry must be available to the consumers of the products to help them build additional detections and conduct threat hunting.
No, the telemetry of the EDR products listed here may improve over time. The last_updated field indicates the last time the data sources were updated, but this might not always be up to date with the current telemetry capabilities of each product.
Yes! We are looking into mapping the Table Event Categories and Sub-Categories to MITRE ATT&CK®. We are also considering creating mappings for the Mitre DEF3ND project.
EDR Telemetry for this project is defined as a source of data or an event that is automatically collected and transmitted by a sensor in real-time or close to real-time as the event occurs. It does NOT include historical events prior to EDR installation, live querying of artifacts, or access to artifacts on a system.
The Telemetry Comparison Table focuses on out-of-the-box events and not on signals (detections/correlating events) or additional modules/integrations. This is because tracking different configurations and including different modules offered by EDR vendors would be challenging. Therefore, only out-of-the-box default telemetry events available to customers after installing the sensor are considered for comparison.
The Telemetry Comparison Table is a table that compares the available telemetry for different EDR products. Please note that the data in the table do not represent the capability for each of the EDR products to detect or prevent a threat. This is ONLY a comparison in regards to the available telemetry for each of these products.
This table only compares the available telemetry for each EDR product and does not represent their ability to detect or prevent threats. The purpose of the table is to help users understand the telemetry provided by different EDR products, but it is not an assessment of their overall performance or effectiveness.
The nature of the repository is to promote transparency and encourage EDR vendors to share their telemetry data. As more vendors make their telemetry available, it is possible that the table will be updated to include any missing information or additional events.
Yes! We are planning to create a table for Linux and MacOS at later stages of this project.
If you have information about an EDR product's telemetry that is not listed in the repository, you can contribute by submitting a pull request or opening an issue with the relevant information. We ask that all contributors provide proof of the proposed changes based on the EDR product's official documentation. Please reach out to @kostastsale or @ateixei on twitter if you would like to share this privately. We count on the community to help us improve this project and take it to the next level over time.