Endpoint security solutions collect large amounts of data from across your network in order to detect intruders. These signals are quickly processed to generate prompt, valuable security alerts and insights with a high signal-to-noise ratio while allowing operational continuity. During this process, certain data is typically dropped to reduce noise and optimize product performance and efficiency. This allows more complex signal logic to be applied to the significant data that is collected. With this approach, signals are continually filtered until high fidelity indicators of attack or compromise are found.
Historically Microsoft Defender for Endpoint has taken this approach and opted against preserving redundant and irrelevant signals, choosing to highlight the higher fidelity signals that matter most to SOC analysts. With that said, some of you have shared that you would like the option to review all collected signals.
Our goal as an endpoint security solution is to provide you with transparency and confidence, so we’re pleased to announce that aggregated reporting of system activity is now available in Defender for Endpoint in public preview. This feature ensures that essential event properties valuable to investigation and threat hunting activities are continuously collected for key activities, signals, and events. As always, we strive to keep you in control, so switching on this feature for greater visibility is optional.
What you can expect:
- Summarized information for supported event types, including otherwise low efficacy telemetry that can be used for investigations and threat hunting.
- All the telemetry that you are used to seeing today.
Note that since this feature improves signal visibility, your SIEM or storage solutions may incur higher storage costs if you stream Microsoft Defender for Endpoint Advanced Hunting tables (such as to Sentinel). The exact increase varies by organization.
To enable this feature and for more information, technical details, and guidance, please visit: Aggregated reporting in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn
Updated Jan 22, 2025
Version 1.0
SaarCohen
Microsoft
Microsoft
