EDR Telemetry Categories

This category focuses on the telemetry associated with the lifecycle and manipulation of processes on the system. It is foundational for establishing visibility into execution flow, child-parent relationships, and process-based techniques such as injection or tampering.

Process creation events, process termination, process access, image/library loading, remote thread creation, process tampering activity, and process call stacks.

Provides the foundation for execution visibility. Used to map process trees, identify suspicious binaries, track execution lineage, and detect process injection techniques.

Malicious process creation, suspicious parent-child relationships, process injection, code execution, and lateral movement techniques.

This category tracks outbound and inbound connections, name resolution, and download behavior to establish context around external communication and potential command-and-control.

TCP connections, UDP connections, URLs accessed, DNS queries, and file downloads from external sources.

Allows tracking of command-and-control infrastructure, lateral movement via network connections, and data exfiltration attempts.

Malware beaconing, suspicious domain access, data exfiltration, and lateral movement through the network.

This category tracks file-level interactions which are essential for uncovering persistence mechanisms, staging activity, payload delivery, and destructive actions.

File creation, file opening, file deletion, file modification, and file renaming events.

Identifies artifact creation associated with malware staging, configuration drops, script deployment, and potential evidence wiping.

Ransomware file encryption, malicious script creation, configuration file tampering, and data staging for exfiltration.

This category includes telemetry on registry operations that can indicate persistence mechanisms, configuration changes, and attacker tooling setup.

Registry key/value creation, modification, and deletion events.

Supports detection of persistence setup, software installation behavior, and malicious tampering with system configuration.

Autorun registry modifications, malware persistence mechanisms, and system configuration tampering.

This category provides insight into changes to local user accounts and authentication events. Useful for privilege escalation, persistence, and lateral movement tracking.

Local account creation, modification, deletion, login events, and logoff events.

Identifies unauthorized access setup, privilege escalation attempts, and suspicious authentication patterns.

Creation of rogue accounts, privilege escalation through group membership changes, and anomalous login activity.

This category focuses on the fingerprinting of files or memory regions using hashing algorithms to allow deduplication, integrity checks, and malware correlation.

MD5, SHA1, SHA256, and IMPHASH values of files and memory regions.

Enables matching against known threat indicators and helps identify malware families through import table similarity.

Identification of known malicious files, grouping of malware variants, and integrity verification of system files.

This category captures telemetry related to scheduled tasks, a common persistence and execution mechanism.

Scheduled task creation, modification, and deletion events.

Provides insight into persistence mechanisms and automated execution setups.

Malware establishing persistence through scheduled tasks, tampering with existing tasks, and cleanup activities.

This category tracks Windows service changes that are often used for persistence or execution.

Service creation, modification, and deletion events.

Useful for tracking persistent system-level execution points and detecting malicious service configurations.

Malware installing backdoor services, modifying legitimate services for malicious purposes, and service-based persistence mechanisms.

This category monitors kernel-level drivers and modules that may affect the stability, security, or integrity of the system.

Driver loading, modification, and unloading events.

Key for rootkit detection and monitoring signed/unsigned driver behavior.

Rootkit installation, kernel-level exploits, and driver tampering for persistence or privilege escalation.

This category provides telemetry related to physical and virtual devices, especially removable or mountable media.

Virtual disk mount events, USB device mount and unmount events.

Monitors for data exfiltration, unauthorized device usage, and staging behavior.

Data exfiltration via USB devices, malware delivery through removable media, and use of virtual disks for hiding malicious content.

Named pipes are a common method for inter-process communication (IPC) and are often used in lateral movement and evasion.

Pipe creation and connection events.

Helps identify malicious IPC channels, staging behavior, and post-exploitation frameworks.

Malware command and control channels, lateral movement techniques, and post-exploitation activity.

This category includes operational telemetry from the EDR agent itself to track its lifecycle and health.

Agent start, stop, install, uninstall, keep-alive, and error events.

Critical for detecting tampering or evasion attempts and ensuring continuous protection.

EDR tampering, agent disabling, and security control evasion techniques.

This category focuses on Windows Management Instrumentation activity, which is often abused for persistence, execution, and reconnaissance.

WMI event consumer to filter binding, event consumer creation/modification, and event filter creation/modification.

Crucial for understanding execution triggers and persistence setup through WMI.

Fileless malware persistence, WMI-based lateral movement, and stealthy execution techniques.

This category covers telemetry related to Background Intelligent Transfer Service (BITS), a mechanism sometimes used by attackers for stealthy downloads or task scheduling.

BITS job creation, update, and execution events.

Helps detect covert tasking and stealthy download operations.

Malware using BITS for stealthy downloads, persistence through BITS jobs, and covert command and control channels.

This category provides visibility into PowerShell script execution, an essential component of modern threat actor toolkits.

PowerShell script-block activity, including raw script content and metadata.

Provides deep inspection capability of executed scripts, even those that are obfuscated or multi-stage.

Fileless malware, obfuscated PowerShell attacks, credential theft scripts, and post-exploitation frameworks.

This event offers supplementary visibility into critical system-level changes or access points.

Changes made to group policy objects or local policy settings.

Important for tracking unauthorized configuration changes or policy abuse.

Security policy weakening, privilege escalation through policy changes, and enterprise-wide malicious configuration deployment.