EDR Telemetry Project Criticism Author Response

The author of the EDR Telemetry Project responded, accusing me of spreading misinformation by saying his project was for detection, that it's always only ever been about telemetry.

The problem is, his own words contradict him. Nowhere does the site say the project isn't for detection, the creator gives detection as its primary use case in the screenshot below and he was the source of this claim. I didn't make it up, I pulled it from his own writing. Why he is stating this is beyond me.

The author himself as you can see in the below image describes that as the prime use case:

How can I be misleading when he’s the source of the claim? The tool is an EDR, which means Detection. If its telemetry isn't for detection, that should be stated however it isn't overtly outlined anywhere, but he suggests the opposite and that it can be used for detection as you can see in his own words.

It is disengenous to say Vendor A has something fully implemented, yet it can't be used while Vendor B might have a partial but they can actually use the data and if the author can't see that than I recommend he re-read this post. I am sorry but if you have to use a second telemetry tool, because your EDR doesn't let you use the telemetry it collects it is objectively not as "fully implemented" as one that does regardless of if it is used for detection or not.

He also noted that the definitions of what is considered "fully implemented" is well defined already and on the website. I asked if he could provide me a link to the specific details that each event need to meet at a minimum to get "fully implemented" that I would update the blog post to reflect it and was blocked. Well defined in my mind means having a list of minimum required fields so that it isn't ambiguous.

At the time of writing this, that does not exist, and if it does exist I will gladly update this post to reflect that.

Lastly, he mentioned that my comment about organizations using Sysmon to augment CrowdStrike for detection was anecdotal. He's right, it's an anecdote because I protect my clients' privacy. But let's be realistic: large enterprise detection teams are bigger than most MSSPs teams.

If you don't think they're building custom detections for things like DLL loads, you haven't worked at that level. We both agree an EDR isn't chosen on telemetry alone, which is precisely why so many organizations pick CrowdStrike for its core strengths and then augment it themselves with sysmon by choice.

I often see teams use Sysmon via a Splunk/Elastic forwarder to augment CrowdStrike with custom detections. The problem is that it's all detection, no response. We're looking at swapping the Elastic agent for LimaCharlie to fix that. They'd keep CrowdStrike as the primary EDR, but could finally use their custom Sysmon rules to actually kill a process or isolate a host (as well as for a number of other reasons.)

It should be noted at the time this was posted, at no point does the telemetry project state its not used for detection. It is unfortunate rather than take feedback/criticism and try and improve, that he resorts to personal attacks.

TL;DR: Make up your own mind. He admits people were confused enough about the project to ask him for clarification, yet somehow misses that their confusion is the entire reason I wrote this. It is also not lost on me, that he spent most of today telling me that the telemetry project was never about detection, while using that as the first and primary example.

He seems to not understand that if even he, the project creator doesn't understand how to use it, that people less experienced definitely won't. Hence the point of the post.

The irony speaks for itself.