EDR Telemetry Tracking for Windows

	A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T
1
2	LEGEND														GitHub Project	https://github.com/tsale/EDR-Telemetry
3	✅	Implemented													Products Docs	https://github.com/tsale/EDR-Telemetry/wiki#product-documentation-references
4	❌	Not Implemented													FAQ	https://github.com/tsale/EDR-Telemetry/wiki/FAQ
5	⚠️	Partially Implemented
6	❓	Pending Response													Last Update	July 05, 2024
7	🪵	Via Windows EventLogs (EDR is inspecting windows event logs to collect the telemetry)
8	🎚️	Via EnablingTelemetry (Additional telemetry that can be enabled easily as part of the EDR product but is not ON by default.)
9
10	Telemetry Feature Category	Sub-Category	Carbon Black	Cortex XDR	CrowdStrike	Cybereason	ESET Inspect	Elastic	Harfanglab	LimaCharlie	MDE	Qualys	Sentinel One	Symantec SES Complete	Sysmon	Trellix	Trend Micro	WatchGuard	MITRE ATT&CK Mappings

11	Process Activity	Process Creation	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	Process Creation - DS0009
12		Process Termination	⚠️	✅	✅	✅	✅	✅	❌	✅	✅	✅	❌	✅	✅	❌	🎚️	❌	Process Termination - DS0009
13		Process Access	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	❌	✅	✅	✅	✅	✅	❌	Process Access - DS0009
14		Image/Library Loaded	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	Module Load - DS0011
15		Remote Thread Creation	✅	✅	✅	✅	✅	✅	✅	✅	✅	❌	✅	❌	✅	✅	✅	✅	OS API Execution (Partial) - DS0009	Process Access (Partial) - DS0009
16		Process Tampering Activity	⚠️	⚠️	✅	❓	❌	✅	✅	✅	✅	❌	⚠️	✅	✅	✅	✅	❌	Process Modification - DS0009
17	File Manipulation	File Creation	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	⚠️	File Creation - DS0022
18		File Opened	✅	❌	✅	❌	❌	✅	✅	⚠️	❌	❌	❌	✅	❌	✅	⚠️	⚠️	File Opened - DS0022
19		File Deletion	✅	✅	✅	✅	✅	✅	❌	✅	✅	✅	✅	✅	✅	✅	❌	❌	File Deletion - DS0022
20		File Modification	✅	✅	✅	❌	✅	✅	✅	✅	✅	❌	✅	✅	❌	✅	✅	❌	File Modification - DS0022
21		File Renaming	✅	✅	✅	✅	✅	✅	✅	⚠️	✅	✅	✅	✅	❌	✅	❌	⚠️	File Renaming - DS0022
22	User Account Activity	Local Account Creation	❌	🪵	✅	❌	✅	🪵	🪵	🪵	✅	❌	✅	❌	❌	✅	❌	❌	Local Account Creation - DS0002
23		Local Account Modification	❌	🪵	⚠️	❌	✅	🪵	🪵	🪵	✅	❌	🪵	❌	❌	✅	❌	❌	Local Account Modification - DS0002
24		Local Account Deletion	❌	🪵	✅	❌	✅	🪵	🪵	🪵	✅	❌	🪵	❌	❌	✅	❌	❌	Local Account Deletion - DS0002
25		Account Login	🪵	✅	✅	✅	✅	✅	✅	⚠️	✅	❌	✅	✅	❌	✅	🪵	✅	Account Login (User Account Authentication) - DS0002	Account Login (Logon Session Creation) - DS0028
26		Account Logoff	🪵	✅	✅	✅	✅	✅	✅	🪵	❌	❌	🪵	✅	❌	✅	🪵	✅	-
27	Network Activity	TCP Connection	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	🎚️	✅	✅	✅	✅	TCP Connection - DS0029
28		UDP Connection	✅	✅	✅	✅	❌	✅	🪵	✅	✅	✅	❌	🎚️	✅	✅	✅	✅	UDP Connection - DS0029
29		URL	❌	❌	✅	❌	✅	⚠️	✅	⚠️	✅	✅	🎚️	⚠️	❌	✅	❌	⚠️	URL - DS0029
30		DNS Query	✅	✅	✅	✅	✅	✅	✅	✅	✅	❌	✅	❌	✅	✅	✅	✅	DNS Query - DS0029
31		File Downloaded	❌	❌	✅	⚠️	⚠️	❌	❌	⚠️	✅	❌	❌	❌	❌	❌	✅	✅	File Downloaded (Network Traffic Content) - DS0029	File Downloaded (File Creation) - DS0022
32	Hash Algorithms	MD5	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	MD5 - DS0022
33		SHA	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	❌	SHA - DS0022
34		IMPHASH	❌	❌	❌	❌	❌	⚠️	✅	❌	❌	❌	❌	❌	✅	❌	❌	❌	IMPHASH - DS0022
35	Registry Activity	Key/Value Creation	✅	✅	⚠️	⚠️	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	Key/Value Creation - DS0024
36		Key/Value Modification	✅	✅	⚠️	⚠️	✅	✅	✅	✅	✅	❌	✅	✅	✅	✅	✅	✅	Key/Value Modification - DS0024
37		Key/Value Deletion	✅	✅	❌	⚠️	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	Key/Value Deletion - DS0024
38	Schedule Task Activity	Scheduled Task Creation	❌	🪵	✅	✅	✅	🪵	🪵	🪵	✅	❌	✅	❌	❌	❌	🪵	❌	Scheduled Task Creation - DS0003
39		Scheduled Task Modification	❌	🪵	✅	✅	❌	🪵	🪵	🪵	✅	❌	✅	❌	❌	✅	❌	❌	Scheduled Task Modification - DS0003
40		Scheduled Task Deletion	❌	🪵	✅	❌	❌	🪵	🪵	🪵	✅	❌	✅	❌	❌	❌	❌	❌	Scheduled Task Deletion - DS0003
41	Service Activity	Service Creation	⚠️	🪵	✅	✅	✅	🪵	🪵	✅	🪵	❌	✅	❌	❌	❌	❌	❌	Service Creation - DS0019
42		Service Modification	❌	🪵	⚠️	❌	❌	🪵	🪵	✅	❌	❌	🎚️	❌	❌	✅	❌	⚠️	Service Modification - DS0019
43		Service Deletion	❌	❌	❌	❌	❌	🪵	❌	❓	❌	❌	❌	❌	❌	❌	❌	❌	Service Deletion - DS0019
44	Driver/Module Activity	Driver Loaded	❌	✅	✅	✅	✅	✅	✅	✅	✅	❌	✅	❌	✅	❌	❌	❌	Driver Loaded - DS0027
45		Driver Modification	❌	❌	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	❌	Driver Modification - DS0022
46		Driver Unloaded	❌	❌	❌	❌	❌	❌	❌	❌	❌	❌	⚠️	❌	❌	❌	❌	❌	-
47	Device Operations	Virtual Disk Mount	❌	⚠️	✅	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌	❌	✅	Virtual Disk Mount - DS0016
48		USB Device Unmount	❌	⚠️	✅	✅	❌	❌	❌	⚠️	✅	❌	🎚️	🎚️	❌	❌	❌	✅	USB Device Unmount - DS0016
49		USB Device Mount	⚠️	⚠️	✅	✅	❌	❌	❌	⚠️	✅	❌	🎚️	🎚️	❌	❌	❌	✅	USB Device Mount - DS0016
50	Other Relevant Events	Group Policy Modification	❌	❌	❌	❌	❌	❌	❌	❌	✅	❌	✅	❌	❌	❌	❌	❌	Group Policy Modification - DS0026
51	Named Pipe Activity	Pipe Creation	⚠️	❌	✅	❌	✅	❌	✅	✅	✅	❌	🎚️	❌	✅	❌	❌	❌	Pipe Creation - DS0023
52	Named Pipe Activity	Pipe Connection	❌	❌	✅	❌	❌	❌	✅	✅	✅	❌	🎚️	❌	✅	✅	❌	❌	Pipe Connection - DS0023
53	EDR SysOps	Agent Start	❌	⚠️	✅	✅	❌	❌	✅	✅	🪵	✅	✅	🎚️	✅	❓	❌	❌	Agent Start - DS0013
54		Agent Stop	❌	✅	✅	✅	❌	✅	✅	✅	🪵	✅	✅	🎚️	✅	❓	❌	❌	Agent Stop - DS0013
55		Agent Install	❌	✅	❌	✅	✅	❌	✅	✅	🪵	✅	✅	🎚️	❌	✅	❌	✅	Agent Install - DS0013
56		Agent Uninstall	❌	✅	✅	✅	✅	✅	❌	❌	❌	❌	✅	🎚️	❌	✅	❌	✅	Agent Uninstall - DS0013
57		Agent Keep-Alive	❌	✅	✅	✅	✅	❌	✅	✅	🪵	✅	✅	🎚️	❌	❓	❌	❌	Agent Keep-Alive - DS0013
58		Agent Errors	❌	✅	✅	❌	✅	✅	✅	✅	✅	✅	✅	🎚️	✅	❓	❌	❌	Agent Errors - DS0013
59	WMI Activity	WmiEventConsumerToFilter	❌	🎚️	✅	✅	✅	❌	✅	❌	✅	❌	✅	⚠️	✅	✅	🪵	✅	WmiEventConsumerToFilter - DS0005
60		WmiEventConsumer	❌	🎚️	✅	✅	✅	❌	✅	❌	✅	❌	✅	⚠️	✅	✅	🪵	✅	WmiEventConsumer - DS0005
61		WmiEventFilter	❌	🎚️	✅	✅	✅	❌	✅	❌	✅	❌	✅	⚠️	✅	✅	🪵	✅	WmiEventFilter - DS0005
62	BIT JOBS Activity	BIT JOBS Activity	❌	🎚️	✅	❌	❌	❌	❌	❌	❌	❌	❌	❌	❌	✅	❌	❌	PowerShell Activity - DS0012	PowerShell Activity - DS0017
63	PowerShell Activity	Script-Block Activity	✅	🪵	✅	❌	✅	❌	✅	🪵	✅	❌	✅	✅	❌	✅	❌	❌	Script-Block Activity - DS0012
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100