Why is XDR telemetry something more?

Home / News / Why is XDR telemetry something more?

The term “telemetry” refers to data collected by specific devices – in case of our article – devices securing the IT infrastructure. IT Security solutions process events from channels such as e-mail, end devices, servers, cloud instances and the organization’s network. As each security platform or product collects/generates different types of activity data, the XDR platform collects telemetry data to detect and search for (known/unknown) threats and assist in root cause analysis.

Examples of the types of data collected include, but are not limited to:

Network Events

  • Traffic flow patterns
  • North-south and east-west connections made
  • Suspicious network traffic behavior
  • TLS (formerly SSL) fingerprints

Instances (or accounts) in the cloud

  • Configuration changes
  • New / changed instances
  • User account activity
  • Processes
  • Executed commands
  • Network connections
  • Files created / available
  • Registry modifications

E-mail

  • Message metadata (external and internal email)
  • Attachment metadata
  • External Links
  • User activity (e.g. logging in)
  • End points

Processes

  • Executed commands
  • Network connections
  • Files created / available
  • Registry modifications

What distinguishes the XDR platforms is the type of data they collect and the way they are used. It is common practice nowadays to look at telemetry – metadata and NetFlow, this alert data does not actually provide related information about the actions required to run the analysis and get the details to take action.

Understanding the structure and method of storing telemetry data is as important as understanding the telemetry data collected. Depending on the type of event, different databases and schemas optimize the way data is captured, polled, and used.

For example:

When using network data – the chart database would be most efficient, but for data endpoints, the Elasticsearch open search and analysis engine would be preferable.

Or..

… standalone PowerShell activity may not result in a SIEM alert, but XDR is able to evaluate and correlate actions across several security layers, including the endpoint.

The XDR platform is built on its own native product stack and has the advantage of allowing you to better understand your data. This allows the platform to collect exactly what is needed to optimize analytical models for data correlation, in-depth investigation and threat hunting. Setting up different structures in a data lake for different telemetry data can significantly impact the performance and effectiveness of your data in terms of discovery, correlation, and discovery.

Related articles

Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.