Skip to main content

Telemetry Collection

Defend collects endpoint telemetry — process executions, network connections, file operations, and more — and streams it through Azure Event Hub into Azure Data Explorer (ADX) for real-time detection and historical investigation.

What Is Collected

Event Types

Event TypeWindowsmacOSLinux
Process create/terminateETWESFeBPF
Network connect/send/receiveETWESFeBPF
DNS queryETWESFeBPF
File create/modify/delete/renameETWESFeBPF
Registry create/modify/deleteETW
DLL loadETW
Service installETW
Scheduled task create/modifyETW
User logon/logoff/failed logonETWESFeBPF

Fields Per Event

Each telemetry event includes 40+ attributes:

  • Identity — event_id, device_id, org_id, timestamp
  • Process — process_name, process_path, pid, ppid, parent_process, command_line, user, hash_sha256
  • Network — dst_ip, dst_port, src_ip, src_port, protocol, dns_query
  • File — file_path, file_old_path (renames), hash_sha256
  • Registry — registry_key, registry_value, registry_data (Windows only)
  • DLL — dll_path, dll_hash (Windows only)
  • Meta — os_type, agent_version

What Is NOT Collected

Defend collects metadata only — never file contents. Specifically:

  • No file content or document text
  • No email bodies or message content
  • No keystrokes or screen captures
  • No browser history or cookies
  • No personal files outside of metadata (name, path, hash)

Collection Methods

Windows — Event Tracing for Windows (ETW)

ETW is a kernel-level tracing facility built into Windows. Defend subscribes to security-relevant ETW providers to capture process, network, file, registry, and authentication events with minimal overhead.

macOS — Endpoint Security Framework (ESF)

Apple's ESF provides a kernel-level notification system for security-relevant events. Defend registers as an ESF client to receive process, file, and network event notifications.

Linux — eBPF Probes

Extended Berkeley Packet Filter (eBPF) programs attach to kernel tracepoints and kprobes. Defend uses eBPF to trace syscalls, network connections, and file access without kernel module dependencies.

Telemetry Pipeline

Agent → Event Hub (Premium, 16 partitions) → ADX Raw Tables → ADX Typed Tables
  1. Agent batching — Events are batched locally (configurable interval, default 1000ms)
  2. Signing — Each batch is HMAC-SHA256 signed with the device key (prevents injection and replay)
  3. Encryption — Local disk buffer encrypted with AES-256-GCM while awaiting delivery
  4. Event Hub — Three hubs (defend-windows, defend-linux, defend-macos), 16 partitions each
  5. ADX ingestion — Raw tables (1-day TTL) receive events, then update policies route to typed tables
  6. Typed tables — ProcessEvents, NetworkEvents, FileEvents, RegistryEvents (90-day retention)

Data Retention

TierRetentionStorage
Hot (ADX raw)1 dayAzure Data Explorer
Warm (ADX typed)90 daysAzure Data Explorer
Cold (archive)1 yearAzure Blob Archive

Telemetry Controls

You can reduce telemetry volume or exclude sensitive endpoints:

  • Process exclusions — Skip events from specific process names (e.g., your backup agent)
  • Path exclusions — Skip file monitoring for specific directories
  • Event type toggles — Disable collection of specific event types (e.g., disable DLL load events)
  • Sampling rate — Scale collection from 0.0 (nothing) to 1.0 (everything) for high-activity endpoints
ℹ️Telemetry exclusions reduce noise but also reduce detection coverage. Use exclusions carefully and only for processes and paths you've verified are safe.

Telemetry Security

Every telemetry batch includes:

  • HMAC-SHA256 signature — Proves the batch came from the enrolled device
  • Monotonic sequence number — Prevents replay of old batches
  • Events hash — Ensures batch integrity (no events added or removed in transit)
  • Device-scoped SAS token — Each device can only write to its own Event Hub publisher partition

Next Steps