arrow_back
search
close

Qué es la Telemetría de XDR

La telemetría de XDR se refiere a los datos recopilados por soluciones de seguridad específicas – incluyendo pero no limitado a email, endpoint, servidor, workload en la nube y red. Ya que cada capa o solución de seguridad contiene varios tipos de datos de actividades, una plataforma XDR recolecta la telemetría para detectar y hacer hunting de amenazas desconocidas y asistir en el análisis de causa raíz.

Tipo de telemetría por capa de seguridad

Las soluciones de seguridad recopilan datos de una variedad de eventos que ocurren en un día. Estos eventos varían desde información de archivos a los que acceden los usuarios hasta la modificación de registros en un dispositivo. Ejemplos de este tipo de datos recolectados incluyen, pero no están limitados a, lo siguiente:

Eventos de red

  • Patrones de bajo tráfico
  • Conexiones perimetrales y laterales
  • Comportamientos sospechosos de tráfico
  • Huellas (JA3) TLS (antes SSL)

Workloads en la nube

  • Cambios en la configuración
  • Instancias nuevas/cambiadas
  • Actividades de cuentas de usuarios
  • Procesos
  • Comandos ejecutados
  • Conexiones de red
  • Archivos creados/accedidos
  • Modificaciones de registros

Correo electrónico

  • Metadatos de mensajes (email externo y interno)
  • Metadatos de archivos adjuntos
  • Links externos
  • Actividades de usuario (como inicios de sesión)

Endpoints

  • Procesos
  • Comandos ejecutados
  • Conexiones de red
  • Archivos creados/accedidos
  • Modificaciones de registros

Cómo la telemetría recopilada hace la diferencia

Lo que diferencia a las plataformas de XDR es el tipo de datos recopilados y lo que se hace con ellos.

Una plataforma XDR creada principalmente en su propio stack de seguridad nativo tiene la ventaja de un entendimiento más profundo de los datos. Esto permite que la plataforma pueda recolectar exactamente lo necesario para optimizar modelos analíticos para lograr detecciones correlacionadas, investigaciones profundas y threat hunting.

Los vendors que se enfocan principalmente en obtener datos de productos de terceros comienzan, desafortunadamente, con un menor entendimiento de los datos asociados. Estos vendors probablemente no están obteniendo el tipo y profundidad de la telemetría necesarios para comprender el contexto completo de las amenazas.

Aunque es práctica común observar la telemetría, los metadatos y NetFlow, esta alerta de datos realmente no ofrece información relacionada con las actividades requeridas para correr analíticos y potenciar insights accionables.

Entender la forma en que se estructura y se almacena la telemetría es tan importante como entender cuál es la telemetría que se está recopilando. Dependiendo de los datos de actividades, las diferentes bases de datos y esquemas son mejores para optimizar la captura, consulta y uso de los datos.

Usando los datos de red como ejemplo, una base de datos de gráficos podría ser la más eficiente, pero para los datos de endpoints, sería preferible un motor abierto de búsqueda y analíticos como Elasticsearch.

Tener varias estructuras de data lake configuradas para distintos tipos de telemetría puede hacer una gran diferencia en la eficiencia de los datos y su efectividad para la detección, correlación y búsqueda.

Telemetría de XDR vs. alertas SIEM

Aunque SIEM es efectiva para agregar los logs y las alertas; no es tan eficiente para conectar múltiples alertas identificadas con el mismo incidente. Esto podría requerir una evaluación de la telemetría raíz a lo largo de las capas de seguridad.

Al potenciar la telemetría, las alertas de XDR consideran la información sobre la alerta así como otras actividades críticas diseñadas para identificar actividades sospechosas o maliciosas. Por ejemplo, la actividad de PowerShell por sí sola podría no resultar en una alerta SIEM, pero XDR puede evaluar y correlacionar actividades a lo largo de varias capas de seguridad, incluyendo el endpoint. 

Al correr modelos de detección en la telemetría recopilada, una plataforma XDR puede identificar y mandar menos alertas, pero de mayor confianza, al SIEM, reduciendo el tiempo y esfuerzo de triaje requerido por los analistas de seguridad.

Understanding XDR telemetry

XDR telemetry empowers security operations center (SOC) teams with actionable insights, consolidated from real-time data across your digital environment. It’s a mission-critical component of attack surface reduction and proactive risk management, helping SOCs aggregate and correlate data to visualize, prioritize, and mitigate threats. This also enables you to break down data silos, ensuring faster, more informed risk identification and response measures. 

Over time, XDR telemetry has evolved from simple event logging to sophisticated, real-time analytics. Early approaches gathered basic alert insights, but this is not enough to stay ahead of threat actors and truly take control of risk. Telemetry has since expanded to factor in behavioral data, traffic patterns, changes to configurations, and even encrypted fingerprinting for Transport Layer Security (TLS) clients via JA3. 

Artificial intelligence (AI), machine learning (ML), and automation play essential roles in any proactive security strategy leveraging XDR telemetry, equipping SOC teams with ample context for faster response.  

Telemetry types by security layer

Cybersecurity platforms, solutions, and capabilities collect data on a variety of events. These vary in quantity and complexity depending on the organization in question, so having a personalized, centralized platform helps to parse and prioritize them quickly. By consolidating XDR telemetry and pulling it into a secure “hub” for streamlined access, SOC teams don’t have to put up with siloed point solutions. This enables them to organize and address security events in order of urgency, mitigating alert overload and reducing resource strain. 

Event data comprises everything from user-accessed file information to registry modifications on devices. Some categorized examples include:

Network events

  • Traffic flow patterns
  • Perimeter and lateral connections made
  • Suspicious traffic behavior
  • Fingerprinting for TLS, formerly Secure Sockets Layer (SSL), via JA3 

Cloud workloads

  • Configuration changes
  • New or changed instances
  • User account activity
  • Processes 
  • Executed commands
  • Network connections
  • Files created or accessed
  • Registry modifications 

Email

  • Message metadata for external and internal email
  • Attachment metadata
  • External links
  • User activity, such as logins

Endpoints

  • Processes
  • Executed commands
  • Network connections
  • Files created or accessed 
  • Registry modifications
Illustration of telemetry types.

The role of telemetry in XDR performance

What differentiates XDR platforms is the type of data collected and how it is used.

An XDR  platform built primarily on its own native security stack has the advantage of a deeper understanding of the data. This enables the platform to collect precisely what is needed to optimize analytical models for correlated detection, in-depth investigation, and threat hunting.

Vendors who primarily pull data from third-party products tend to lack sufficient context, getting only a surface-level glimpse. They may be missing the type and depth of telemetry needed to fully understand the risks and threats organizations face. While telemetry, metadata, and NetFlow are commonly used, alert data alone can lack the activity details needed for effective analytics and insights. Understanding the structure and storage of telemetry is crucial, as it influences how data is captured, queried, and used for activity insights.

Using network data as an example, a graph database can be highly efficient, while for endpoint data, an open search and analytics engine like Elasticsearch is well suited. Having various data lake structures in place can help with detection, correlation, and search -- but only if they can “speak” to one another through a centralized XDR platform.  

Key features and benefits of effective XDR telemetry

Comprehensive data insights from your entire environment

XDR platforms gather telemetry from across your full digital environment, providing SOC teams with a clear, holistic, and complete view of security events. As touched on earlier, modern XDR telemetry extends beyond traditional logs and alerts to include activity data, network flows, process executions, and behavioral indicators.

Automated data correlation and analytics

Advanced detection models analyze and correlate disparate data sources in real time. This helps you spot attack patterns, suspicious behavior, and other risk elements across all security layers. By leveraging these insights, you can have confidence in your response actions, prioritized and informed by the latest data analytics.

Interoperability and flexible architecture

The most effective and proactive approaches to XDR telemetry seamlessly integrate with established databases, data lakes, and analytics engines. They also support efficient and streamlined storage, querying, and analyses tailored to different types of activity data.

AI and ML integration

Modern XDR leverages the power of AI and ML to analyze telemetry streams in real time. Models continually adapt to the latest threats, attack methods, and risk types to help you not just keep pace with adversaries but see their next moves. Predictive analytics help with detecting suspicious behaviors, and addressing them, before breaches occur. In other words, nothing is left to chance. These powerful integrated technologies are always learning from and adapting.

Illustration of key features and benefits of XDR telemetry.

XDR telemetry vs. SIEM alerts

Traditional security information and event management (SIEM) is effective at aggregating logs and alerts, but it isn’t as efficient when connecting multiple alerts tied to the same incident. This requires an analysis at the root telemetry level across security layers.

Leveraging telemetry, XDR alerts consider alert information as well as other critical activities designed to identify suspicious or malicious activity. For example, Microsoft PowerShell activity on its own may not result in a SIEM alert, but XDR is able to assess and correlate activities across several security layers, including the endpoint. 

By running detection models on the collected telemetry, an XDR platform can identify and send fewer, higher-confidence alerts to the SIEM, reducing the amount of triage required by security analysts. 

How does XDR telemetry work with AI and ML?

AI-powered XDR platforms can analyze vast streams of telemetry data in real time, discerning subtle patterns and anomalies that traditional methods might overlook. This capacity for rapid pattern recognition enables more accurate detection of risks and sophisticated threats, including zero-day vulnerabilities and lateral movement within networks.

Meanwhile, ML continually learns from the latest threat insights and adapts to evolving attack tactics. This makes threat identification more precise, helping SOC teams reduce false positives and focus on what needs their most urgent attention, without being overloaded or overwhelmed. By automating the correlation of data across endpoints, networks, and cloud environments, this combination of AI and ML is the proactive “one-two punch” needed to eliminate bottlenecks, streamline security operations, and accelerate incident response.

What are the challenges of XDR telemetry?

If not consolidated and prioritized correctly, the sheer volume and diversity of telemetry data—collected from endpoints, networks, cloud environments, and applications—can lead to information overload. Security teams may struggle to parse and prioritize this constant influx, creating additional risks such as missed threats, resource strain, or alert fatigue. Integrating telemetry across disparate systems also demands robust interoperability, yet technical silos and proprietary formats often hamper seamless aggregation.

Getting consistent access to accurate, real-time, relevant data is another challenge. Incomplete or inconsistent telemetry can undermine detection models, yielding false positives or causing your SOC team to overlook hidden or subtle attack patterns. There’s also a need to maintain privacy and security compliance, particularly in environments such as government, finance, and healthcare. 

Additionally, the effective deployment of AI-driven analytics within XDR platforms relies on well-trained models, which can be stymied by evolving threats and adversarial techniques. Lastly, the operational burden of maintaining, tuning, and scaling XDR solutions can strain resources, particularly for organizations with limited expertise or budget.  

What is the Trend Micro approach to XDR telemetry?

The Trend approach to XDR telemetry is built for the next generation of SOC. By integrating telemetry from endpoints, networks, emails, and cloud workloads, it correlates data across disparate security layers, turning your data silos into actionable insights while accelerating response. Powerful agentic AI, ML, and automation technologies enable you to detect risks in real time, including zero-day vulnerabilities and lateral movements that traditional tools might miss. Automated correlation and contextual risk assessment prioritize the most critical threats, empowering security teams to respond faster and more accurately. This approach also helps you prioritize interoperability, ensuring smooth integration with diverse environments and third-party solutions. 

joe lee headshot

Joe Lee

Vice President of Product Management

pen

Artículos Relacionados

Trend 2025 Cyber Risk Report
Desde el Evento hasta el Insight: Desglosando un Escenario de Business Email Compromise (BEC) en B2B
Comprendiendo las Etapas Iniciales de las Amenazas Web Shell y VPN: Un Análisis de MXDR
The Forrester Wave™: Enterprise Detection and Response Platforms, Q2 2024
Es Hora de Actualizar su Solución de EDR
La Amenaza Silenciosa: La Herramienta EDRSilencer de los Equipos Rojos Disrumpe las Soluciones de Seguridad de Endpoints
Modernice su Estrategia Federal de Ciberseguridad con FedRAMP
Líder en el Cuadrante Mágico™ de Gartner® 2025 para Plataformas de Protección de Endpoints (EPP)

Artículos Relacionados

Trend 2025 Cyber Risk Report
Desde el Evento hasta el Insight: Desglosando un Escenario de Business Email Compromise (BEC) en B2B
Comprendiendo las Etapas Iniciales de las Amenazas Web Shell y VPN: Un Análisis de MXDR
The Forrester Wave™: Enterprise Detection and Response Platforms, Q2 2024
Es Hora de Actualizar su Solución de EDR
La Amenaza Silenciosa: La Herramienta EDRSilencer de los Equipos Rojos Disrumpe las Soluciones de Seguridad de Endpoints
Modernice su Estrategia Federal de Ciberseguridad con FedRAMP
Líder en el Cuadrante Mágico™ de Gartner® 2025 para Plataformas de Protección de Endpoints (EPP)

Trend Vision One™ - La Seguridad Proactiva Inicia Aquí.

Recursos

Soporte

Acerca de Trend

Country Headquarters

  • Trend Micro - Mexico (MX)
  • Insurgentes Sur, 730 – piso 3
    Col Del Valle
    C.P. 03100, México, D.F.
    C.P. 03100, México
    México, D.F.
  • Phone: +52-55-3067-6000

Select a language

close

Explore gratuitamente nuestra plataforma de ciberseguridad

Copyright ©2025 Trend Micro Incorporated. All rights reserved.