Frequently Asked Questions

Common questions about the EDR Telemetry Project and their answers.

What is EDR Telemetry?

EDR telemetry refers to the data collected and transmitted by Endpoint Detection and Response (EDR) products and tools. These products are designed to monitor, detect, and respond to potential threats and suspicious activities on endpoints such as computers, servers, and other devices within a network.

What is the purpose of this project?

The EDR Telemetry Project aims to:

Compare and evaluate telemetry capabilities across different EDR products
Help security practitioners make informed decisions about EDR tools
Encourage EDR vendors to be more transparent about their telemetry features
Provide a comprehensive reference for EDR telemetry capabilities

How is the data collected?

The data is collected through:

Direct testing in controlled environments
Documentation review from vendors
Community contributions and verification
Continuous updates and validation

How can I contribute?

You can contribute by:

Submitting telemetry data for EDR products
Verifying existing data
Reporting discrepancies or updates
Joining our Discord community

Visit our Contribution page for more details.

How often is the data updated?

The data is updated regularly as new information becomes available. We encourage the community to help keep the information current. You can also search on Github Pull Requests/commits for the EDR you are interested in to find the last updated date.

What do the different symbols mean?

We use the following symbols in our telemetry tables:

✅ - Feature is fully implemented
❌ - Feature is not implemented
⚠️ - Feature is partially implemented
❓ - Information is pending or unverified
🪵 - Collected via Windows Event Logs
🎚️ - Available through additional telemetry settings

Still have questions? We're here to help!