Microsoft Defender for Endpoint Internals 0x04 — Timeline telemetry

This blog has been in draft for quite some time and for no particular reason it was never published. A recent tweet rekindled my desire to share more details about our learnings in working with MDE at large scale for many clients.

In previous blogs in this series I’ve spoken about how MDE get its telemetry and how it stacks up against Sysmon. Which audit settings it relies on and which — if not configured correctly - might give you blind spots. And lastly, the telemetry unreliability and log augmentation suggestions.

In this edition we remain on the telemetry topic, specifically regarding the Timeline feature of the MDE. One of the immediate differences between the Timeline and the raw telemetry that is available through the Advanced Hunting tab, is that this data is stored for 180 days, where the raw logs are only available for 30 days, after which they are removed from the M365 portal. It is possible to retain them outside of the M356 portal, which is pretty well documented by Microsoft and out of scope for this blog post.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x04-timeline-3f01282839e4