3.3.12. Add EDR Telemetry Data

You can import data that was previously recorded by an EDR. This feature requires a special license.

To use this feature you need to either:

• Export data from the EDR console

• Configure API access so that Cyber Triage can query it directly

Currently this feature supports only Defender.

3.3.12.1. Import via API

To import directly via API from the EDR server, you must first configure it. See:

• Configure Defender API Access.

To import data, choose the “Lookup” button and then search for and pick the hostname. This list comes from Defender.

This feature will import the last 30-days of activity.

After pressing ‘Continue’, you will configure automated analysis settings (see Ingest-Time Settings).

3.3.12.2. Import via CSV

If you do not have access to the API, you can export data from the EDR and import those files. See:

• Export Defender CSV Telemetry.

You can select multiple files as from different time periods as long as they are for the same host.

After pressing ‘Continue’, you will configure automated analysis settings (see Ingest-Time Settings).