What Defender Really Collects: Telemetry Logic, Blind Spots, and Operational Caveats

Description:

Microsoft Defender for Endpoint is often treated as a black box, but extracted policy artifacts make large parts of its endpoint-side telemetry model readable. This talk shows configurations, SensorHub settings, ETW provider rules, explicit filters, capping logic, and response controls reveal what Defender is instructed to collect, what it suppresses, and where visibility gaps are created by design.

It then compares an older and a newer snapshot to show how telemetry coverage and control surfaces materially changed over time. To keep the analysis grounded, the presentation correlates static policy with runtime ETW output and kernel-level traces from selected providers. The goal is not to speculate about undocumented cloud internals, but to make endpoint-side selection logic and its practical limitations understandable to defenders.

The final section presents a temporal-integrity case study from lab testing: system time shifts distorted timestamps, degraded telemetry flow, and at larger offsets appeared to reduce what reached the security portal, while local prevention still continued. This is not a vulnerability talk or a product pitch. It is a defender-focused walkthrough of how to read telemetry policy, identify blind spots, and avoid assuming that EDR data is always complete, stable, or immune to manipulation.